Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate Only Authentication

Hello,

We are using Zenprise to to manage approximately 120 mobile devies.  About 90% of them are iOS devices, and the users are not savy enough to configure ActiveSync, let alone change the login credentials as needed each time their password expires in Windows.  We are attempting to configure a certificate based wireless setup, with Zenprise pushing a standard certificate authority and allowing the device to request a user specific certificate.  This part is working fine so far.

The part we are having trouble with is, no matter how we configure the wireless on the devices, they always ask for a password, which we are trying to avoid.

Any help would be greatly appreciated.

Regards,

Mark

7 REPLIES

Certificate Only Authentication

is it asking for the userpassword when the device is requesting the user certificate?

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Certificate Only Authentication

That seems to be the case, although we would rather not have the user enter any information if at all possible.  The margin for error is too high, and the resources for assistance are too thin.

Mark

Re: Certificate Only Authentication

I don't think you are going to get around that. With a user certificate they are going ti need to provide credentials to prove they have the authority to get the cert from the CA.

Stew

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Certificate Only Authentication

The issue we are trying to stop is having to visit 10 to 15 users each day because their passwords have changed on their devices and they do not understand how to change them.  It appears, even with the currently described configuration, that when the user password changes, as does the password for the certificate.  Is there a way to have this a one time password entry and keep the certificate valid after a password change?

Thanks,

Mark

Certificate Only Authentication

Mark:


When the password changes the certificate will still be valid.

The password that is provided when the user tries to download the certificate from the CA is to prove that the user is authorized to get that certificate. The password has nothing to do with the content of the certificate itself. So you can safely use the certificate as it is password independent.

If the password is changed the certificate should still be valid until it expires.

HTH

Amjad



Rating useful replies is more useful than saying "Thank you"
New Member

Certificate Only Authentication

Amjad:

This is how I thought it should work as well, however, the certificate now is prompting for a password on each connection if the password has changed.  I thought this was odd, and thank you for confirming that this is not standard behavior.  I will look into this and see what I can find.  In the meantime, if you have any tips, I would love to hear them.

Regards,

Mark

Certificate Only Authentication

hmmmm,
well Mark, I think this behavior could be related to the product itself. I mean the product designers should be probably using this behavior that it asks for a certificate everytime the password got change.

You are using active directory and microsoft CA all in windows servers, right? if yes then you better asks microsoft expert about this behavior.

You also need to distinguish if the device prompting a password for confiramtion only? or it request a new certificate when the password is changed? if it requests a new certificate then asking for the password is normal behavior for the server because it will not provide a certificate without a password. it is a client issue then need to be investigated and prevent it from asking for a certificate if the password got changed.

If it does not ask for a new certificate and it only asks for a confirmation password (and use same old cert) then here where a microsoft expert would be more useful to tell us if this behavior can be changed from the AD/CA server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
388
Views
0
Helpful
7
Replies
CreatePlease login to create content